JWT Authentication Policy
Policy Type
UI Documentation
📖 For detailed information: [UI Documentation Link - Link will be added here]
Description
JWT Authentication policy manages JWT (JSON Web Token) authentication. It can issue, validate, and refresh JWT tokens. JWT tokens are used for stateless authentication and authorization.
Endpoints
List Policies
GET /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/
Add Policy
POST /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/
Update Policy
PUT /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/
Delete Policy
DELETE /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/
List Policies
Endpoint
GET /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/
Request
| Header |
Value |
| Authorization |
Bearer {token} |
Path Parameters
| Parameter |
Type |
Required |
Description |
| projectName |
string |
Yes |
Project name |
| apiProxyName |
string |
Yes |
API Proxy name |
Response
Success Response (200 OK)
{
"success": true,
"resultList": [
{
"apiProxy": {
"name": "MyAPI",
"requestPolicyList": [
{
"type": "policy-auth-jwt",
"name": "jwt-auth-policy",
"description": "JWT authentication policy",
"active": true,
"tokenNeverExpires": false,
"tokenExpiresInAmount": 3600,
"tokenExpiresInUnit": "SECONDS",
"refreshTokenAllowed": true,
"refreshTokenCount": 5,
"refreshTokenExpiresInAmount": 86400,
"refreshTokenExpiresInUnit": "SECONDS",
"allowUrlParameters": false,
"managedFromThisPolicy": true,
"grantType": "PASSWORD",
"jwtSignatureAlgorithm": "HS256"
}
],
"responsePolicyList": [],
"errorPolicyList": []
}
}
],
"resultCount": 1
}
cURL Example
curl -X GET \
"https://demo.apinizer.com/apiops/projects/MyProject/apiProxies/MyAPI/policies/" \
-H "Authorization: Bearer YOUR_TOKEN"
Add Policy
Endpoint
POST /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/
Request
| Header |
Value |
| Authorization |
Bearer {token} |
| Content-Type |
application/json |
Path Parameters
| Parameter |
Type |
Required |
Description |
| projectName |
string |
Yes |
Project name |
| apiProxyName |
string |
Yes |
API Proxy name |
| policyName |
string |
Yes |
Policy name |
Request Body
Full JSON Body Example
{
"operationMetadata": {
"targetScope": "ALL",
"targetPipeline": "REQUEST",
"deploy": true,
"deployTargetEnvironmentNameList": ["production"],
"order": 1
},
"policy": {
"type": "policy-auth-jwt",
"description": "JWT authentication policy - issue and validate tokens",
"active": true,
"tokenNeverExpires": false,
"tokenExpiresInAmount": 3600,
"tokenExpiresInUnit": "SECONDS",
"refreshTokenAllowed": true,
"refreshTokenCount": 5,
"refreshTokenExpiresInAmount": 86400,
"refreshTokenExpiresInUnit": "SECONDS",
"allowUrlParameters": false,
"managedFromThisPolicy": true,
"grantType": "PASSWORD",
"jwtSignatureAlgorithm": "HS256"
}
}
Request Body Fields
| Field |
Type |
Required |
Default |
Description |
| targetScope |
string |
Yes |
- |
Policy scope: ALL or ENDPOINT |
| targetEndpoint |
string |
No* |
- |
Endpoint path (required if targetScope=ENDPOINT) |
| targetEndpointHTTPMethod |
string |
No* |
- |
HTTP method (required if targetScope=ENDPOINT) |
| targetPipeline |
string |
Yes |
- |
Pipeline: REQUEST, RESPONSE, or ERROR |
| deploy |
boolean |
No |
true |
Whether to deploy after adding policy |
| deployTargetEnvironmentNameList |
array |
No |
[] |
List of environment names to deploy to |
| order |
integer |
No |
null |
Policy execution order (starts from 1) |
Enum: targetScope
ALL - Policy applies to all endpointsENDPOINT - Policy applies only to specified endpoint
Enum: targetPipeline
REQUEST - Executes in request pipelineRESPONSE - Executes in response pipelineERROR - Executes in error pipeline
Enum: targetEndpointHTTPMethod
GET, POST, PUT, DELETE, PATCH, OPTIONS, HEAD
policy
| Field |
Type |
Required |
Default |
Description |
| type |
string |
Yes |
- |
Policy type: policy-auth-jwt |
| description |
string |
No |
- |
Policy description |
| active |
boolean |
No |
true |
Whether policy is active |
| tokenNeverExpires |
boolean |
No |
true |
Whether token never expires |
| tokenExpiresInAmount |
long |
No* |
- |
Token expiration amount (required if tokenNeverExpires=false) |
| tokenExpiresInUnit |
string |
No* |
- |
Token expiration unit (required if tokenNeverExpires=false) |
| refreshTokenAllowed |
boolean |
No |
false |
Allow refresh tokens |
| refreshTokenCount |
integer |
No |
- |
Maximum number of refresh tokens per user |
| refreshTokenExpiresInAmount |
long |
No |
- |
Refresh token expiration amount |
| refreshTokenExpiresInUnit |
string |
No |
- |
Refresh token expiration unit |
| allowUrlParameters |
boolean |
No |
false |
Allow token in URL parameters |
| managedFromThisPolicy |
boolean |
No |
true |
Token managed from this policy |
| grantType |
string |
No |
PASSWORD |
Grant type for token issuance |
| jwtSignatureAlgorithm |
string |
Yes |
- |
JWT signature algorithm |
EnumTimeUnit
MILLI_SECONDS - MillisecondsSECONDS - SecondsMINUTES - MinutesHOURS - HoursDAYS - DaysWEEKS - WeeksMONTHS - MonthsYEARS - Years
EnumTimeUnit
MILLI_SECONDS - MillisecondsSECONDS - SecondsMINUTES - MinutesHOURS - HoursDAYS - DaysWEEKS - WeeksMONTHS - MonthsYEARS - Years
EnumPolicyAuthenticationGrantType
PASSWORD - Password grant type (username/password)CLIENT_CREDENTIALS - Client credentials grant type (client_id/client_secret)
JWT Signature Algorithms
Common algorithms supported:
HS256 - HMAC SHA-256 (symmetric)HS384 - HMAC SHA-384 (symmetric)HS512 - HMAC SHA-512 (symmetric)RS256 - RSA SHA-256 (asymmetric)RS384 - RSA SHA-384 (asymmetric)RS512 - RSA SHA-512 (asymmetric)ES256 - ECDSA SHA-256 (asymmetric)ES384 - ECDSA SHA-384 (asymmetric)ES512 - ECDSA SHA-512 (asymmetric)
Note
- If
tokenNeverExpires: false, both tokenExpiresInAmount and tokenExpiresInUnit are required.
jwtSignatureAlgorithm is required.refreshTokenCount limits the number of active refresh tokens per user.
Response
Success Response (200 OK)
{
"success": true,
"deploymentResult": {
"success": true,
"deploymentResults": [
{
"environmentName": "production",
"success": true,
"message": "Deployment successful"
}
]
}
}
cURL Example
curl -X POST \
"https://demo.apinizer.com/apiops/projects/MyProject/apiProxies/MyAPI/policies/jwt-auth-policy/" \
-H "Authorization: Bearer YOUR_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"operationMetadata": {
"targetScope": "ALL",
"targetPipeline": "REQUEST",
"deploy": true,
"deployTargetEnvironmentNameList": ["production"],
"order": 1
},
"policy": {
"type": "policy-auth-jwt",
"description": "JWT authentication policy",
"active": true,
"tokenNeverExpires": false,
"tokenExpiresInAmount": 3600,
"tokenExpiresInUnit": "SECONDS",
"refreshTokenAllowed": true,
"refreshTokenCount": 5,
"refreshTokenExpiresInAmount": 86400,
"refreshTokenExpiresInUnit": "SECONDS",
"allowUrlParameters": false,
"managedFromThisPolicy": true,
"grantType": "PASSWORD",
"jwtSignatureAlgorithm": "HS256"
}
}'
Update Policy
Endpoint
PUT /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/
Request
| Header |
Value |
| Authorization |
Bearer {token} |
| Content-Type |
application/json |
Path Parameters
| Parameter |
Type |
Required |
Description |
| projectName |
string |
Yes |
Project name |
| apiProxyName |
string |
Yes |
API Proxy name |
| policyName |
string |
Yes |
Policy name |
Request Body
Full JSON Body Example
{
"operationMetadata": {
"targetScope": "ALL",
"targetPipeline": "REQUEST",
"deploy": true,
"deployTargetEnvironmentNameList": ["production"],
"order": 1
},
"policy": {
"type": "policy-auth-jwt",
"description": "Updated JWT authentication policy",
"active": true,
"tokenNeverExpires": false,
"tokenExpiresInAmount": 7200,
"tokenExpiresInUnit": "SECONDS",
"refreshTokenAllowed": true,
"refreshTokenCount": 10,
"refreshTokenExpiresInAmount": 172800,
"refreshTokenExpiresInUnit": "SECONDS",
"allowUrlParameters": false,
"managedFromThisPolicy": true,
"grantType": "CLIENT_CREDENTIALS",
"jwtSignatureAlgorithm": "RS256"
}
}
Note: Request body structure is the same as Add Policy. All fields should be provided for update.
Response
Success Response (200 OK)
{
"success": true,
"deploymentResult": {
"success": true,
"deploymentResults": [
{
"environmentName": "production",
"success": true,
"message": "Deployment successful"
}
]
}
}
cURL Example
curl -X PUT \
"https://demo.apinizer.com/apiops/projects/MyProject/apiProxies/MyAPI/policies/jwt-auth-policy/" \
-H "Authorization: Bearer YOUR_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"operationMetadata": {
"targetScope": "ALL",
"targetPipeline": "REQUEST",
"deploy": true,
"deployTargetEnvironmentNameList": ["production"],
"order": 1
},
"policy": {
"type": "policy-auth-jwt",
"description": "Updated JWT authentication policy",
"active": true,
"tokenNeverExpires": false,
"tokenExpiresInAmount": 7200,
"tokenExpiresInUnit": "SECONDS",
"refreshTokenAllowed": true,
"refreshTokenCount": 10,
"refreshTokenExpiresInAmount": 172800,
"refreshTokenExpiresInUnit": "SECONDS",
"allowUrlParameters": false,
"managedFromThisPolicy": true,
"grantType": "PASSWORD",
"jwtSignatureAlgorithm": "HS256"
}
}'
Delete Policy
Endpoint
DELETE /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/
Request
| Header |
Value |
| Authorization |
Bearer {token} |
| Content-Type |
application/json |
Path Parameters
| Parameter |
Type |
Required |
Description |
| projectName |
string |
Yes |
Project name |
| apiProxyName |
string |
Yes |
API Proxy name |
| policyName |
string |
Yes |
Policy name |
Request Body
Full JSON Body Example
{
"operationMetadata": {
"targetScope": "ALL",
"targetPipeline": "REQUEST",
"deploy": false
}
}
Request Body Fields
| Field |
Type |
Required |
Description |
|
| targetScope |
string |
Yes |
Policy scope: ALL or ENDPOINT |
|
| targetPipeline |
string |
Yes |
Pipeline: REQUEST, RESPONSE, or ERROR |
|
| deploy |
boolean |
No |
false |
Whether to deploy after deletion |
Response
Success Response (200 OK)
{
"success": true,
"deploymentResult": {
"success": true,
"deploymentResults": []
}
}
cURL Example
curl -X DELETE \
"https://demo.apinizer.com/apiops/projects/MyProject/apiProxies/MyAPI/policies/jwt-auth-policy/" \
-H "Authorization: Bearer YOUR_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"operationMetadata": {
"targetScope": "ALL",
"targetPipeline": "REQUEST",
"deploy": false
}
}'
Notes and Warnings
- Token Expiration:
- When
tokenNeverExpires: false, provide tokenExpiresInAmount and tokenExpiresInUnit
- When
tokenNeverExpires: true, tokens never expire (use with caution)
- Refresh Tokens:
- When
refreshTokenAllowed: true, clients can refresh expired access tokens
refreshTokenCount limits concurrent refresh tokens per user- Refresh tokens have separate expiration settings
- Grant Types:
PASSWORD - Username/password authenticationCLIENT_CREDENTIALS - Client ID/client secret authentication
- Signature Algorithms:
- Symmetric (HS256, HS384, HS512) - Use shared secret
- Asymmetric (RS256, RS384, RS512, ES256, ES384, ES512) - Use public/private key pair
- URL Parameters: When
allowUrlParameters: true, tokens can be passed in URL (less secure)
- Managed Policy: When
managedFromThisPolicy: true, tokens are issued and managed by this policy
- KeyStore: For RSA/ECDSA algorithms, configure KeyStore with public/private keys
- Deployment: Policy changes require deployment to take effect. Set
deploy: true or deploy manually.